Search This Blog

Wednesday, April 29, 2009

ISAserver.org - April 2009 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of April 2009
Sponsored by: GFI
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP.
Each month we will bring you interesting and helpful information on ISA Server.
We want to know what all *you* are interested in hearing about.
Please send your suggestions for future newsletter content to: tshinder@isaserver.org


1. Does Virtualization Mean the End of Firewalls as You Know Them?
--------------------------------------------------------------

Virtualization is a disruptive technology. It does not just influence how you do one or two things, it completely changes how you approach the entire network and application infrastructure. Very few companies that I have worked with in the last year have been untouched by virtualization. Even those who are part of the "long tail" are in the process of rearchitecting their designs to gain the benefits virtualization provides.

What is interesting is the effect this seems to have had on firewalls and other pieces of network security gear. Network devices that you would never think of as being open to virtualization are now being converted to "software" (virtual machines) and deployed as virtual devices. Now you see virtual firewalls, virtual application gateways, virtual routers, virtual layer 3 switches, and virtual IDS/IPS systems. It's looking like anything that was once the sole province of "hardware" can now be virtualized.

I find this to be a fascinating turn of events. Back in the 1990s, and even prevalent today, was the idea that a "hardware" firewall had some sort of inherent security advantages over a "software" firewall. This misconception enabled "hardware" firewall vendors to get away with insane margins, as their software ran on marginal hardware devices priced at multiples of their true value. While you can not blame people for thinking "hardware" would be more, well, "hard", than software, the "hardware" firewall vendors did nothing to disabuse the hapless network admins of this misconception. Who can blame them? Make hay when you can, because someday things are going to change.

Virtualization ushered in that change. Now I see people using virtualized firewalls to save on cost and management overhead. Modern virtualization platforms introduce little in terms of performance hits, and enable superior uptime, redundancy, and disaster recovery. Management is easier too, since if a virtual firewall becomes corrupted, you can easily return to a good snapshot or restore from a backup – much more cost effective and convenient than keeping a second (or third, fourth, fifth or sixth) firewall in tow in case of emergency, or waiting for the vendor to send you a replacement overnight.

But I think the most important thing about firewall virtualization is that it should remove the last vestiges of belief that "hardware" firewalls confer more security than "software" firewalls. The fact that many former "hardware" only firewalls are now available in virtualized formats goes to show that when the economics of computing exert enough pressure, it enables the truth to be borne out – all firewalls are just software, and it's the security of the software, not the form factor, that’s the overarching issue when it comes to firewall evaluation and selection. Even Cisco has come to realize that their hardware margins are falling and will continue to fall, and that they are going to need to transform themselves into a software and services company if they want to continue to be relevant.

At this point I am sure you are expecting me to say that I encourage you to run your TMG firewall in a virtual environment or that a virtualized TMG firewall is the best way to go. I am not going to say that, and I can not say that, because it’s not true. The fact is that while virtualization is a great technology for server consolidation, streamlined management, enhanced disaster recovery and high availability, it's still a mission critical focal point for your security organization. Because of this, it's important to minimize the variables in the security equation and reduce the attack surface and points of failure.

Sure, you can create a four member TMG firewall array on your virtual server at a tiny fraction of the price that you could if you implemented as a dedicated hardware solution. However, what happens when that server dies? The power supply dies, the disk(s) die, the memory goes bad or the NIC fails. Now the entire array is down. Sure, you can spend premium dollars for redundant power supplies and RAID, and NIC teaming, but there's no redundant memory and can you really justify the costs compared to buying dedicated TMG firewall devices?

Running TMG firewalls on dedicated hardware ends up costing less, and providing higher availability than running them on a souped-up virtualized platform. In addition, you bypass the potential security issues involved with virtual partitions. Yes, I am aware of the advances made in modern hypervisors to protect virtual partitions from one another, and even the advances that Intel and AMD have made to strengthen this barrier. But do I trust it so much that I am willing to put my key gateway devices in a virtualized environment? I want to, I really do. But I am just not at the point where I see the risk/benefit ratio being small enough for me to be willing to take that chance.

What do you think? Is virtualization security at a high enough level at this time where you are willing to put key assets that are the focus of constant attack in a virtual container? Do you think that virtualization is great for almost any asset, but key network security devices should continue to remain "physical"? Do you think that it's actually more cost effective to buy redundant hardware and servers for a more complex virtualized firewall environment?

Let me know! Send a note to tshinder@isaserver.org and I'll share you opinions in the next newsletter.

ISA FIREWALL ALERT

Microsoft has received several calls about installation failures after installing the recent ISA firewall security updates. If you are having problems with an Event ID 14109 error, click here for instructions <http://blogs.technet.com/isablog/archive/2009/04/18/ms09-012-and-isa-server-standard-edition-14109-failures.aspx> on how to get going again.


Tom
tshinder@isaserver.org

Want to learn about network security from the experts? Want to get the inside information about Windows Network Security and the inner workings of the TMG firewall? Then join us at Black Hat Las Vegas for Microsoft Ninjitsu: Black Belt <http://www.blackhat.com/html/bh-usa-09/train-bh-usa-09-tm-ms-bbe.html> Tim, Jim and I provide helpful and cogent insights into squeezing the highest level of security from your Microsoft infrastructure and let you into the secret tweaks that we use to get an edge over the bad guys.

For ISA and TMG and other Forefront Consulting Services in the USA, call me at
Prowess Consulting <http://www.prowessconsulting.com>
206-443-1117

=======================
Quote of the Month - "The difference between ordinary and extraordinary is that little extra." - Jimmy Johnson
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

We have a great group of articles in the Learning Zone that will help you get a
handle on your most difficult configuration issues. Here are just a few of the
newer and more interesting articles:

* Explaining ISA Server 2006 Web Server load balancing
<http://www.isaserver.org/tutorials/Explaining-ISA-Server-2006-Web-Server-load-balancing.html>

* Celestix MSA Series Voted ISAserver.org Readers' Choice Award Winner - ISA Appliance
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Hardware-Appliances-Celestix-MSA-Series-Jan09.html>

* Overview of New Features in TMG Beta 2 (Part 1)
<http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part1.html>

* Product Review: Winfrasoft Gateway Appliances
<http://www.isaserver.org/tutorials/Product-Review-Winfrasoft-Gateway-Appliances.html>

* Installing and configuring Microsoft Forefront TMG Beta 2
<http://www.isaserver.org/tutorials/Installing-configuring-Microsoft-Forefront-TMG-Beta2.html>

* Overview of New Features in TMG Beta 2 (Part 2)
<http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part2.html>

* Configuring and using the E-Mail protection feature in Microsoft Forefront Threat Management Gateway Beta 2 (Part 1)
<http://www.isaserver.org/tutorials/Configuring-using-E-Mail-protection-feature-Microsoft-Forefront-Threat-Management-Gateway-Beta-2-Part1.html>


4. KB Article of the Month
---------------------------------------------------------------

The first security update to hit ISA and TMG for over 4 years came out this month. Make sure you update your ISA and TMG firewalls with this update as soon as possible. Several of us have tested this update and have found no problems with it. However, be aware that if you install from an external location that the firewall service will be restarted and you will be disconnected from your RDP session. If you are installing from an internal location, you shouldn&#146;t have any problems.

Check out these links for the fixes:

* TMG:
<http://www.microsoft.com/downloads/details.aspx?FamilyID=6abf9fb4-42d0-4c67-935f-8dc67850148b&displaylang=en>

* ISA 2004 SE:
<http://www.microsoft.com/downloads/details.aspx?FamilyID=adf623fa-2d74-4f2a-9835-4b8debdb0e1b <http://www.microsoft.com/downloads/details.aspx?FamilyID=adf623fa-2d74-4f2a-9835-4b8debdb0e1b>

* ISA 2004 EE:
<http://www.microsoft.com/downloads/details.aspx?FamilyID=d1d55ab6-3de5-4811-9693-8d43f49f5fe8 <http://www.microsoft.com/downloads/details.aspx?FamilyID=d1d55ab6-3de5-4811-9693-8d43f49f5fe8>

* ISA 2006:
<http://www.microsoft.com/downloads/details.aspx?FamilyID=eda30bcc-0582-4f60-a4c5-ea5000b7c770 <http://www.microsoft.com/downloads/details.aspx?FamilyID=eda30bcc-0582-4f60-a4c5-ea5000b7c770>


5. Tip of the Month
--------------------------------------------------------------

Having problems with Java app authentication through the ISA Firewall? Check out this thread on the ISAserver.org <http://forums.isaserver.org/m_2002047985/mpage_1/key_/tm.htm#2002084465> message boards for some possible help.

I ran into an interesting situation last month where one of my customers complained that he could not download files over 50 MB when the ISA firewall compression filter was enabled. When the filter was disabled, he was able to download files larger than 50 MB. Unfortunately, it also broke some sites, such as www.masters.com and www.audiusa.com. From what I have been told, the compression filter is not supposed to block large file downloads. If you are having similar problems, send me a note at tshinder@isaserver.org and let us see if we can figure this out.

Want to use multiple ISPs? Then check out the new Beta 2 TMG firewall. The Forefront TMG firewall Team Blog <http://blogs.technet.com/isablog/archive/2009/02/16/keeping-high-availability-with-forefront-tmg-s-isp-redundancy-feature.aspx> shows you how to make it work.


6. ISA/TMG/IAG Links of the Month
--------------------------------------------------------------

* Forefront TMG PM Video
<http://edge.technet.com/Media/Forefront-Threat-Management-Gateway-TMG-PM-video/>

* Virtualize Your ISA and TMG Firewalls
<http://edge.technet.com/Media/Virtualize-your-ISA-or-Forefront-TMG-servers/>

* IAG 2007 SP2 Video with Uri Lichtenfeld
<http://edge.technet.com/Media/IAG-SP2-hits-RTM-details-under-the-cover-interview/>

* Why IAG 2007 Beat the Competition in the SSL VPN Market
<http://edge.technet.com/Media/SSL-VPN-comparison-with-IAG/>

* Upgrading from TMG Beta 1 to TMG Beta 2
<http://technet.microsoft.com/en-us/library/dd440995.aspx>


7. Blog Posts
--------------------------------------------------------------

* Using the ISA HTTP Filter To Modify Via Headers And Prevent Information Disclosure
<http://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/>

* Resource Guide for Microsoft Active Directory Communications and ISA Server Firewalls
<http://blog.msfirewall.org.uk/2009/02/resource-guide-for-microsoft-active.html>

* Forefront Security for Exchange Server SP1 Capacity Planning Tool
<http://blogs.isaserver.org/shinder/2009/04/17/forefront-security-for-exchange-server-sp1-capacity-planning-tool/>

* Affordable Two-factor Security for Microsoft ISA Firewalls from Collective Software
<http://blogs.isaserver.org/shinder/2009/04/17/affordable-two-factor-security-for-microsoft-isa-firewalls-from-collective-software/>

* Sandwich Mode Insanity Reaches New Levels of Breakage
<http://blogs.isaserver.org/shinder/2009/04/16/sandwich-mode-insanity-reaches-new-levels-of-breakage/>

* Web filtering coverage increased to 165,000,000 URLs
<http://blogs.isaserver.org/shinder/2009/04/14/web-filtering-coverage-increased-to-165000000-urls/>

* Quick ISA and TMG Firewall Tip
<http://blogs.isaserver.org/shinder/2009/04/13/quick-isa-and-tmg-firewall-tip/>

* Test TMG Intrusion Detection System (Network Inspection System) Signatures
<http://blogs.isaserver.org/shinder/2009/04/13/test-tmg-intrusion-detection-system-network-inspection-system-signatures/>

* AV Software on the ISA Firewall?
<http://blogs.isaserver.org/shinder/2009/04/11/av-software-on-the-isa-firewall/>


8. Ask Dr. Tom
--------------------------------------------------------------

* QUESTION:

Dear Tom,
I have purchased some of your books i.e. ISA 2004, you seem to be the best on resource on ISA server. I have recently deployed a new Forefront TMG back to back layout. I have published OWA on the internal firewall and this works fine using Forms based authentication.

But when I replicate this on the Front end TMG, I cannot access email but keep getting the same login form every time I hit enter.

Can you tell me what I am doing wrong or provide instructions for published OWA (Exchange 2007) with a Forefront TMG front back to back layout.

ManyThanks
Mo.

* ANSWER:

Hi Mo,

When deploying a back to back TMG firewall configuration, the back end firewall is typically a domain member and the front-end TMG firewall is in a workgroup. While this isn&#146;t a required configuration, I find that this is a functional configuration for the majority of networks that I&#146;ve worked with. The back-end TMG firewall performs strong authentication and access control, while the front end TMG firewall performs both stateful packet and application layer inspection.

It sounds like you&#146;re trying to configure forms-base authentication on both the front-end and back-end TMG firewalls. That won&#146;t work. What you want to do is configure the front-end TMG firewall with an SSL (HTTPS) Server Publishing Rule that allows inbound SSL connections to be forwarded to the back-end TMG firewall. The back-end TMG firewall can then present the form to the user and enable strong user/group based access control, as well as provide strong application layer inspection for incoming connections.

There are some scenarios where you might want to make the front-end TMG firewall a domain member too. However, for the scenario that you present, that definitely isn&#146;t a requirement. However, if you wanted to publish an extranet using the front-end TMG firewall and leverage authentication repositories on the internal network you could certainly do that by making the front-end TMG firewall a domain member.

Also, for this type of remote access scenario, you might want to consider IAG 2007 SP2. IAG 2007 is a specialized remote access solution that provides the highest level of strong authentication and access control for remote connections to Exchange and SharePoint. For more information, check out the IAG 2007 web site <http://www.microsoft.com/Forefront/edgesecurity/iag/en/us/default.aspx>.


Got a question for Dr. Tom? Send it to tshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2009. All rights reserved.

No comments: